Office (OLE) / .DOC malware analysis — malicious · c9a44b1f104f27d1

MALICIOUS

Office (OLE) / .DOC

89.5 KB Created: 2006-07-25 02:49:00 Authoring application: Microsoft Office Word

MD5: b2a357900d5cd36017fd0867f4de171d SHA-1: 9f2c513206bb09d31845d94c64795ce62aa6804e SHA-256: c9a44b1f104f27d10b7eab07813ff7a5cc8e2923a64c268ee0b4222ebf203aa8

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample exhibits significant slack space anomalies and contains XOR-encoded strings, indicating a deliberate attempt to obfuscate its contents. While no specific malicious behavior like script execution or network communication was directly observed in the provided excerpts, these indicators strongly suggest the file is malicious. The obfuscation techniques point towards an attempt to hide malicious payloads or delivery mechanisms.

Heuristics 2

XOR-encoded strings (key 0x92) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x92: 'advapi32.dll', 'shell32.dll'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 91,648 bytes but its declared streams total only 22,175 bytes — 69,473 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.